Debug v19 and option MAIN_DISALLOW_URL_INTO_DESCRIPTIONS

htdocs/core/class/doleditor.class.php

@@ -173,6 +173,9 @@ class DolEditor
 				if (empty($conf->global->FCKEDITOR_ENABLE_PDF)) {
 					$pluginstodisable .= ',exportpdf';
 				}
+				if (!empty($conf->global->MAIN_DISALLOW_URL_INTO_DESCRIPTIONS)) {
+					$this->uselocalbrowser = 0;	// Can't use browser to navigate into files. Only links with "<img src=data:..." are allowed.
+				}
 				$scaytautostartup = '';
 				if (!empty($conf->global->FCKEDITOR_ENABLE_SCAYT_AUTOSTARTUP)) {
 					$scaytautostartup = 'scayt_autoStartup: true,';

htdocs/core/lib/functions.lib.php

@@ -7635,18 +7635,19 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
 		} while ($oldstringtoclean != $out);
 
 		// Check the limit of external links that are automatically executed in a Rich text content. We count:
-		// '<img' to avoid <img src="http...">
+		// '<img' to avoid <img src="http...">,  we can only accept "<img src="data:..."
 		// 'url(' to avoid inline style like background: url(http...
 		// '<link' to avoid <link href="http...">
 		$reg = array();
-		preg_match_all('/(<img|url\(|<link)/i', $out, $reg);
-		$nbextlink = count($reg[0]);
-		if ($nbextlink > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
+		$tmpout = preg_replace('/<img src="data:/mi', '<__IMG_SRC_DATA__ src="data:', $out);
+		preg_match_all('/(<img|url\(|<link)/i', $tmpout, $reg);
+		$nblinks = count($reg[0]);
+		if ($nblinks > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
 			$out = 'ErrorTooManyLinksIntoHTMLString';
 		}
 		//
 		if (!empty($conf->global->MAIN_DISALLOW_URL_INTO_DESCRIPTIONS) || $check == 'restricthtmlnolink') {
-			if ($nbextlink > 0) {
+			if ($nblinks > 0) {
 				$out = 'ErrorHTMLLinksNotAllowed';
 			}
 		}